- (Topic 1)
Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:
Correct Answer:
C
A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster1. A core part of a BCP is the documentation of workaround processes to keep a business function operational during recovery of IT systems. Workaround processes are alternative methods or procedures that can be used to perform a business function when the normal IT systems are unavailable or disrupted2. For example, if an online payment system is down, a workaround process could be to accept manual payments or use a backup system. Workaround processes help to minimize the impact of IT disruptions on the business operations and ensure continuity of service to customers and stakeholders3. References:
✑ 1 explains what is a business continuity plan and why it is important.
✑ 2 defines what is a workaround process and how it can be used in a BCP.
✑ 3 provides examples of workaround processes for different business functions.
- (Topic 2)
The due date of an audit project is approaching, and the audit manager has determined that only 60% of the audit has been completed. Which of the following should the audit manager do FIRST?
Correct Answer:
A
The first thing that the audit manager should do when faced with a situation where only 60% of the audit has been completed and the due date is approaching is to determine where delays have occurred. This can help the audit manager to identify and analyze the root causes of the delays, such as unexpected issues, scope changes, resource constraints, communication problems, etc., and evaluate their impact on the audit objectives, scope, quality, and timeline. Based on this analysis, the audit manager can then decide on the best course of action to address the delays and complete the audit successfully. Assigning additional resources to supplement the audit is a possible option for resolving delays in an audit project, but it is not the first thing that the audit manager should do, as it may not be feasible or effective depending on the availability, cost, and suitability of the additional resources. Escalating to the audit committee is a possible option for communicating delays in an audit project and seeking guidance or support from senior management, but it is not the first thing that the audit manager should do, as it may not be necessary or appropriate depending on the severity and urgency of the delays. Extending the audit deadline is a possible option for accommodating delays in an audit project and ensuring sufficient time for completing the audit tasks and activities, but it is not the first thing that the audit manager should do, as it may not be possible or desirable depending on the contractual obligations, stakeholder expectations, and regulatory requirements.
- (Topic 2)
In an online application which of the following would provide the MOST information about the transaction audit trail?
Correct Answer:
C
The most information about the transaction audit trail in an online application can be obtained by reviewing the system/process flowchart. A system/process flowchart is a diagram that illustrates the sequence of steps, activities, or events that occur within or affect a system or process. A system/process flowchart can provide the most information about the transaction audit trail in an online application, by showing how transactions are initiated, processed, recorded, and completed, and identifying the inputs, outputs, controls, and dependencies involved in each transaction. File layouts are specifications that define how data are structured or organized on a file or database. File layouts can provide some information about the transaction audit trail in an online application, by showing what data elements are stored or retrieved for each transaction, but they do not provide information about how transactions are executed or tracked. Data architecture is a framework that defines how data are collected, stored, managed, and used within an organization or system. Data architecture can provide some information about the transaction audit trail in an online application, by showing what data sources, models, standards, and policies are used for each transaction, but they do not provide information about how transactions are performed or monitored. Source code documentation is a description or explanation of the source code of a software program or application. Source code documentation can provide some information about the transaction audit trail in an online application, by showing what logic, algorithms, or functions are used for each transaction, but they do not provide information about how transactions are handled or audited.
- (Topic 4)
A programmer has made unauthorized changes to key fields in a payroll system report. Which of the following control weaknesses would have contributed MOST to this problem?
Correct Answer:
D
The programmer having access to the production programs is the most likely control weakness that would have contributed to the unauthorized changes to the payroll system report. This is because the programmer could modify the production code without proper authorization, documentation, or testing, and bypass the change management process. This could result in errors, fraud, or data integrity issues in the payroll system. The programmer should only have access to the development or test environment, and the production programs should be under the control of a librarian or a change manager. References
ISACA CISA Review Manual, 27th Edition, page 254 4 Types of Internal Control Weaknesses
ACCT 4631 - Internal Auditing: CIA Quiz Topic 6 Flashcards
- (Topic 4)
During a follow-up audit, an IS auditor finds that senior management has implemented a different remediation action plan than what was previously agreed upon. Which of the following is the auditor's BEST course of action?
Correct Answer:
B
The IS auditor’s best course of action is to evaluate the implemented control to ensure it mitigates the risk to an acceptable level. This is because the objective of a follow-up audit is to verify that corrective actions have been accomplished as scheduled and that they are effective in preventing or minimizing future recurrence1. If senior management has implemented a different remediation action plan than what was previously agreed upon, the IS auditor should assess whether the alternative control is adequate and appropriate for the situation. Requesting justification from management for not implementing the recommended control (option D) may be a secondary step, but it is not the best course of action. Reporting the deviation by the control owner in the audit report (option A) may be premature and unnecessary if the implemented control is satisfactory. Canceling the follow- up audit and rescheduling for the next audit period (option C) is not advisable, as it would delay the verification of the effectiveness of the implemented control and potentially expose the organization to further risks. References: 1: Follow-up Audits - Canadian Audit and Accountability Foundation